[Samba] Winbind group membership not updating
- Date: Mon, 25 Sep 2017 15:16:54 +0200
- From: Malte zu Klampen via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Winbind group membership not updating
We are currently in the process of replacing some of our file servers with Active Directory joined Samba servers. However, during testing we have noticed behaviour that has caught us off guard.
Changes in user group membership in AD do not show up on our file servers. Specifically, changing a user's groups in AD won't affect group membership on the Samba server once the user has authenticated. Even killing their processes won't.
This is a problem, as once a client has established a connection to a share, it will keep access to the share even if group membership has long since been revoked.
It is my understanding that group membership is updated at authentication time and cached forever. Is there a way around this?
With "winbind cache time = 10" changes in group membership show up in `id` quickly _only_ as long as the user in question has no active session. Once they show up in `net status sessions` group membership sticks forever.
I am experiencing this behaviour with 4.5.8-Debian, but looking through the bugs this seems to be a recurring theme in all versions. Are there good workarounds?
[global] obey pam restrictions = yes netbios name = redacted workgroup = REDACTED security = ADS realm = REDACTED.DE log level = 0 usershare max shares = 0 usershare path = /dev/null vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes inherit permissions = yes idmap config *:backend = tdb idmap config *:range = 1000 - 99999 idmap config REDACTED:backend = rid idmap config REDACTED:range = 100000 - 500000 template shell = /bin/bash template homedir = /home/%D/%U load printers = no printcap name = /dev/null winbind trusted domains only = no winbind use default domain = yes winbind enum users = no winbind enum groups = no winbind refresh tickets = Yes winbind cache time = 10 winbind offline Logon = true winbind expand groups = 3 -- Malte zu Klampen / PC-Labor / Institut für Geowissenschaften CAU zu Kiel / Otto-Hahn-Platz 5, D-24118 Kiel Tel. +49 431 880-3904 :wq!
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba